The Bulletin goes onto the matter of a Cyber-attack during war

“If a cyber attack were to be executed against a ship by a government or organised rebels in a period of war or civil war, the war risks exclusion in the rules would be engaged.”

It is with particular attention that the Shipping company or Vessel should consider the word `war` and `terrorism` and their definitions.  We are about to look at another P&I policy on Cyber Insurance and understanding these definitions will have a key role when development your procedures and considering your liability.

Note:  I hope you were paying attention when you conducted the Cyber Operators course (Op) which discussed these terms in more detail!

Contact your P&I Club for detailed information about cover provided to shipowners and charterers in respect of liability to third parties (and related expenses) arising from the operation of ships.

An incident caused, for example by malfunction of a ship’s navigation or mechanical systems because of a criminal act or accidental cyber attack, does not in itself give rise to any exclusion of normal P&I cover. In the event of a claim involving a cyber incident, claimants may well seek to argue that the claim arose as a result of an inadequate level of cyber preparedness. This, therefore, further stresses the importance of companies being able to demonstrate that they are acting with reasonable care in their approach to managing cyber risk and to protecting the ship. It should be noted that many losses, which could arise from a cyber incident, are not in the nature of third-party liabilities arising from the operation of the ship and are therefore not covered by P&I insurance. For example, financial loss caused by ransomware, or costs of rebuilding scrambled data would not be identified in the coverage.

Clause 380 originally entered the insurance market in the offshore drilling industry. It is commonly found in maritime insurance policies and explains why cyber incidents are not normally covered. It is known as the INSTITUTE CYBER ATTACK EXCLUSION CLAUSE:

Example of this clause on a certificate

Tanker Management and Self-Assessment (TMSA) also require plans and procedures to be implemented.

On 1 January 2018, the Oil Companies International Marine Forum’s(OCIMF) Tanker Management and Self-Assessment (TMSA) version 3 will came into force.

The TMSA programme provides companies with a means to improve and measure their own safety management systems. One of the salient changes in the TMSA version 3 is the addition of the 13th performance element which focuses on Maritime Security. T

his new element will require Members who are subscribed to the Ship Inspection Reporting Programme (SIRE) programme, to incorporate cyber risk security policies and procedures within the company/vessel’s operating procedures.

IMO Resolution MSC.428(98) identifies cyber risks as specific threats, which companies should try to address as far as possible in the same way as any other risk that may affect the safe operation of a ship and protection of the environment. Cyber risk management should be an inherent part of the safety and security culture conducive to the safe and efficient operation of the ship and be considered at various levels of the company, including senior management ashore and onboard personnel.

This means that the company needs to assess risks arising from the use of IT and OT onboard ships and establish appropriate safeguards against cyber incidents. Company plans and procedures for cyber risk management should be incorporated into existing security and safety risk management requirements contained in the ISM Code and ISPS Code.